Vadim Lyubashevsky Cryptography Allows for secure communication in the presence of malicious parties 2 Cryptography Allows for secure communication in the presence of malicious parties 3 Cryptography ID: 540239
Download Presentation The PPT/PDF document "Lattice-Based Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Lattice-Based Cryptography
Vadim
LyubashevskySlide2
Cryptography
Allows for secure communication in the presence of malicious parties
2Slide3
Cryptography
Allows for secure communication in the presence of malicious parties
3Slide4
Cryptography
Allows for secure communication in the presence of malicious parties
4Slide5
Symmetric-Key Cryptography
Secret key = sSlide6
Symmetric-Key Cryptography
Secret Key = s
Secret Key = s
Will still exist if quantum computers are builtSlide7
Public-Key Cryptography
Secret Key = s
Public Key = pSlide8
Public-Key Cryptography
Secret Key = s
Public Key = p
Public Key = p
Public Key = pSlide9
Mathematical
Assumptions
for
Public-Key Cryptography
N
=pq
gx=y mod p
Factoring is hard
Computing discrete logs is hard
Mostly problems from number theory
All broken once a quantum computer is built
9Slide10
Consequence of Quantum ComputingCurrent public key schemes will be broken
Quantum computers will recover all of
today’s
secrets10
+
=Slide11
Consequence of Quantum ComputingNeed to eventually migrate all internet security to quantum-resistant
schemes
Do it only once!
11Slide12
Assumptions
for
Quantum-Resilient Public-Key Cryptography
N
=pq
gx=y mod p
Factoring is hard
Finding short vectors in lattices is hard
Computing discrete logs is hard
(
f,g
) in Z[x]/(x
n
+1)
12Slide13
Ultimate Goal
Construct practical, quantum-resilient cryptography
for every device
13Slide14
The Critical Schemes14
Digital Signatures
Key Exchange
(Public Key Encryption)Slide15
Practical Lattice-Based Constructions
Key Exchange:
NTRU public-key encryption (1998)
Ring-LWE public-key encryption (2010)Digital Signatures:Recent (2013) schemes (e.g. BLISS)
15Slide16
16Lattice Cryptography ≈ Knapsack Cryptography
(done correctly)Slide17
The subset sum (knapsack) ProblemSlide18
a
i
,
T in ZM
ai are chosen randomly
T is a sum of a random subset of the aia1 a2 a3 … an TFind a subset of ai's that sums to T (mod M)Subset Sum ProblemSlide19
a
i
,
T in Z49
ai are chosen randomly
T is a sum of a random subset of the ai15 31 24 3 14 1115 + 31 + 14 = 11 (mod 49)Subset Sum ProblemSlide20
How Hard is Subset Sum?
a
i
,
T in ZM
a1 a2 a3 … an TFind a subset of ai's that sums to T (mod M)Hardness Depends on:Size of n and MRelationship between n and MSlide21
Complexity of Solving Subset Sum
M
run-time
2
log²(n)
2
n
2
n log(n)
2
n²
poly(n)
2
Ω(n)
poly(n)
“generalized birthday attacks”
[FlaPrz05,Lyu06,Sha08]
“lattice reduction attacks”
[LagOdl85,Fri86]
2
cnSlide22
Subset Sum is “Pseudorandom”Slide23
“Computationally Indistinguishable”DY
Y
1
Y2…Yk…
DX
X1X2…Xk…D?
Z1Z2…Zk…
=
?
=?Slide24
Subset Sum is “Pseudorandom”
[
Impagliazzo-Naor
1989]:
For random a1,...,a
n in ZM and random x1,...,xn in {0,1},distinguishing the distribution(a1,...,an, a1x1+...+anxn mod M) from the uniform distribution U(ZMn+1) is as hard as finding x1,...,xnSlide25
What About Public-Key Encryption?
Many early attempts
None of them had proofs of security
All seem to be brokenSlide26
Cryptosystem based on subset sum[L, Palacio,
Segev
2010]Slide27
Facts About Addition
4
2
9
1
32
8
Adding n numbers (written in base q) modulo
q
m
→
carries < n
If
q>n ,
then Adding with carries
≈
Adding without carries
(i.e. in Z
M
) (i.e. in
Z
q
n
)
4 6 7 9
3 9 0 7
8 4 6 5
1 3 4 3
4
7
2
6
4 6 7 9
3 9 0 7
8 4 6 5
1 3 4 3
Want to add
4679
+
3907
+
8465
+
1343
mod 10
4Slide28
So...
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
1 1 0 18 1 1 9
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
1 1 0 1
+
2 1 1 0
0 2 2 9
=
=
NOT Pseudorandom!
Pseudorandom based on Subset Sum!Slide29
Column Subset Sum Addition
Is Also Pseudorandom
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3110111
10
09
80
+
=Slide30
“Hybrid” Subset Sum Addition Is Also Pseudorandom
4 6 7 9 0
3 9 0 7 9
8 4 6 5 8
1 6 4 3 0
1 0 0 1+
1 1 1 0 0
6 3 2 2 0
=
pseudorandom Slide31
Encryption Scheme
A
s
t
=
+At
r
+
u
v
=
Public Key
{0,1}
n
{0,1}
n
Z
q
n x n
0
m
+Slide32
Encryption Scheme
A
s
t
=
+At
r
Is pseudo-random based on the hardness
of
the subset sum problem
+
u
v
=
0
m
+Slide33
Encryption Scheme
A
s
t
=
+At
r
v
A
s
+
r
+
A
s
r
A
s
r
+
A
s
=
=
+
u
v
=
0
m
+
+
m
+
mSlide34
Encryption Scheme
A
s
t
=
+At
r
u
s
A
r
s
=
+
A
r
s
+
=
≈
v
+
u
v
=
0
m
+
-
mSlide35
u
s
v
-
=
Encryption SchemeAs
t
=
+
A
t
r
+
u
v
=
0
m
+
+
m
represent 0 by m=0
represent 1 by m=(q-1)/2Slide36
Cryptosystem based on LWE[
Regev
2005]Slide37
Encryption Scheme
(what we needed)
A
s
t
=+At
r
Pseudorandom
“small”
+
u
v
=
0
m
+Slide38
Picking the “Carries” In Subset Sum: carries were deterministicWhat if … we pick the “carries” at random from some distribution?Slide39
So...
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
1 1 0 1
+
2 1 1 0
0 2 2 9
=
Pseudorandom
based
on
Subset Sum
4 6 7 9
3 9 0 7
8 4 6 5
1 6 4 3
2 3 0 1
+
1 3 2 1
7 2 0 3
=
Pseudorandom based on
LWE
[
Reg
‘
05
]Slide40
(Decision) LWE Problem
. . .
a
1
a
2
s
+
e
=
b
World 1
. . .
a
2
a
1
a
m
b
uniformly random in Z
p
m
World 2
Theorem [
Regev
'05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.
a
mSlide41
LWE vs. Subset SumThe Subset Sum assumption has “deterministic noise” (is this useful for anything?)
The LWE assumption is more “versatile”
. . .
a
1
a
2
a
m
s
+
e
=
b
LWE Problem
n
2
n
s
+
=
b
Subset Sum Problem
n
2
a
2
a
1
a
n
…
EASY !!
nSlide42
LWE / Subset Sum Encryption
A
s
t
=
+At
r
n-bit Encryption
HaveWant
Public Key SizeÕ(n)O(n)Secret Key SizeÕ(n)
O(n)Ciphertext Expansion
Õ(n)
O(1)
Encryption Time
Õ(n
3
)
O(n)
Decryption Time
Õ(n
2
)
O(n)
+
u
v
=
0
m
+Slide43
Cryptosystem based on Ring-LWE[L, Peikert, Regev 2010]Slide44
Source of Inefficiency of LWE
+
=
Getting
n
extra random-looking numbers (i.e. t) from a secret s
requires n2 random
numbers (i.e. A) and an error vector
Wishful thinking: get
n
random numbers and produce
n
pseudo-random
numbers in “one shot”
2
8
7
3
*
1
0
2
1
A
s
t
=
+Slide45
Use Polynomialsf(x) is a polynomial
x
n
+ an-1xn-1 + … + a1x + a0R = Zp[x]/(f(x)) is a polynomial ring with
Addition mod pPolynomial multiplication mod p and f(x)Each element of R consists of n elements in ZpIn R:
small+small = small small*small = small (depending on f(x) ) Slide46
Ring-LWE cryptosystem
a
s
t
r
au
r
t
v
v
u
s
+
+
+
=
=
=
-
r
t
+
r
a
+
s
r
a
s
+
+
r
a
+
s
r
+
s
=
-
-
-
=
Public Key
m
+
m
+
m
+
m
+
Secret Key
Encryption
Decryption
m
+Slide47
Security
a
s
t
r
au++=
=
Pseudorandom??
r
t
v
+
=
m
+Slide48
Decision Learning With Errors over Rings
a
1
a
2
a3…am
s
b
1
b
2
b
3
…
b
m
+
=
a
1
a
2
a
3
…
a
m
b
1
b
2
b
3
…
b
m
Theorem
[LPR ‘10]: In
cyclotomic
rings,
there is a quantum reduction from solving worst-case problems in ideal lattices to solving Decision-RLWE
World 1
World 2Slide49
Security
a
s
t
r
au++=
=
Pseudorandom based on Decision Ring-LWE!!
r
t
v
+
=
m
+Slide50
Ring-LWE Encryption
a
s
t
r
au
+
+=
=n-bit Encryption
From LWE From Ring-LWEPublic Key SizeÕ(n)
Õ(n)Secret Key Size
Õ(n)
Õ(n)
Ciphertext
Expansion
Õ(n)
Õ(1)
Encryption Time
Õ(n
3
)
Õ(n)
Decryption Time
Õ(n
2
)
Õ(n)
r
t
v
+
=
m
+Slide51
Where are the lattices?51Slide52
Subset Sum and Lattices
An integer lattice is an additive subgroup of
Z
na1 a2 a3 …
an T =
mod M for xi in {0,1}a = (a1, a2, … , an, -T)L(a) = {y in Zn+1 : a∙y = 0 mod M}Notice that x=(x1, x2, … ,xn,1) is in L(a)||x|| <
Slide53
Connection to LatticesFinding short vectors in lattices implies:
Solving subset sum Solving LWE Solving Ring-LWE
Basically breaking all of “lattice crypto”Interesting part: There are proofs in the other direction53Slide54
Connection to LatticesSolving LWE
For all lattices
, determining whether a lattice has a short vector (GapSVP) via a classical reduction
For all lattices, finding n linearly-independent short vectors (SIVP) via a quantum reductionSolving Ring-LWE over the ring Zq[x]/(f(x))
For all ideals of Z[x]/(f(x)), finding a short vector (Ideal-SVP) via a quantum reduction54Slide55
Purpose of Proofs in PracticeProofs guide us to the “correct design”
Sometimes the “correct design” is surprising
Example:
We know decision problems are easy in the ring Z[x]/(xn-1) because x-1 is a factorTrying to get a security reduction led us to choose a polynomial f(x) irreducible over the integers
But working over the ring Zq[x]/(f(x)) where f(x) factors completely over Zq is OK – even sometimes necessary!
55Slide56
Getting a Usable SchemeSetting exact parameters is trickier
If
we follow the proof, may be too inefficient
If we deviate, we may be less secureNeed to have a feeling for what’s importantNo substitute for cryptanalysisProofs tell the cryptanalyst what to concentrate on
56Slide57
SummaryPractical designs for all the basic schemes
Public-key encryption
Digital signatures Identity-based encryptionPolynomial-time constructions for many other schemes Group signatures Fully-homomorphic encryption Attribute-based encryption
Many others 57
Authenticated key exchangeThe only public-key primitive really needed on the internetSlide58
Some Research Directions
Polynomial-time constructions for many other schemes
Group signatures Fully-homomorphic encryption Attribute-based encryption Many others
58
Come up with much better designsSlide59
Some Research Directions59
P
ractical designs for all the basic schemes
Public-key encryption Digital signatures Identity-based encryption
Authenticated key exchange
Cryptanalysis Efficient (quantum) algorithm for finding short vectors in ideal lattices? If yes, then the hardness foundation is in question What is the best (quantum) algorithm for Ring-LWE? Need this to set concrete parametersSlide60
Some Research Directions60
P
ractical designs for all the basic schemes
Public-key encryption Digital signatures Identity-based encryption
Authenticated key exchange
Standardization Algorithmic problems (e.g. efficient sampling) Want TLS and IKE to use lattices (and use them well) Many trade-offs between speed/size possible Resource-constrained devices Standards may need to be “application-driven” Slide61
THANK YOU
61